In recent news, Instructure, the organisation behind the widely utilised Canvas learning platform, announced that it had reached a financial agreement with cyber criminals following a massive data breach. The incident involved the theft of 3.5 terabytes of student and university data. In an effort to protect those affected, the company made a payment to receive digital confirmation that the stolen information had been destroyed. While the intent to safeguard individuals is entirely understandable, this incident highlights a fundamental dilemma in modern cyber security: can an organisation ever truly trust the promise of an extortionist?
Funding the Cycle of Cyber Crime
When an organisation decides to pay a ransom for data deletion, they are directly financing the operations of cyber criminals. This capital provides malicious groups with the resources required to develop more sophisticated tools and target additional businesses. From an ethical perspective, providing millions of dollars to these syndicates is increasingly viewed as a form of assistance to criminal networks. Some security analysts even compare the financial support of cyber syndicates to funding extremist or terrorist activities, as it sustains criminal entities that actively undermine public safety and critical digital infrastructure.
The Broken Moral Compass: Extortion versus Ethical Research
To understand why paying for data deletion is fundamentally flawed, one must consider the psychology of individuals who exfiltrate data for profit. A criminal who resorts to extortion has already demonstrated that they operate entirely without a moral compass. There is no psychological compulsion or ethical code that would force them to honour an agreement to delete stolen files.
This situation is entirely different from interacting with legitimate security researchers. In a structured bug bounty programme, ethical researchers identify vulnerabilities and report them responsibly to an organisation. In those instances, paying a standard bounty and requesting the deletion of any testing data is a recognised and acceptable practice, because the researcher operates within an established framework of trust. Conversely, once a threat actor crosses the line into extortion, any expectation of honesty or integrity is completely lost.
The Reality of Extortion Operations
Historical precedents consistently show that cyber criminals routinely lie about destroying stolen information. For instance, when international law enforcement agencies successfully infiltrated the servers of the notorious LockBit ransomware group, they discovered a startling truth. Even though numerous victim organisations had paid significant ransoms, the criminals had retained the stolen data rather than deleting it. The information remained stored on their servers, perfectly positioned for future resale on the dark web or for secondary extortion attempts. Once data leaves a corporate network, all control over its distribution is effectively gone, regardless of any digital confirmation received.
Building Proactive Cyber Protections
Rather than relying on the compliance of criminals after a breach has occurred, organisations must focus on implementing robust, preventative defenses. Enhancing an enterprise security posture requires a proactive strategy that minimises vulnerabilities before they can be exploited.
Organisations seeking to strengthen their resilience could consider the following measures:
- Comprehensive Security Assessments: Regular evaluations of internal systems and employee workflows can help identify potential entry points for threat actors.
- Advanced Penetration Testing: Simulating sophisticated cyber attacks allows organisations to discover hidden weaknesses in their networks and cloud environments.
- Robust Incident Response Frameworks: Establishing clear containment procedures ensures that teams can react rapidly to minimise the impact of an incident without needing to negotiate with extortionists.
Partnering for Secure Operations
Navigating the complexities of data protection and threat mitigation requires expert guidance and a continuous commitment to security. Relying on post-incident agreements cannot replace a properly designed defensive framework.
If you are concerned about your current security configuration or wish to review your information protection strategies, the expert team at Vertex Cyber Security is available to assist. Consider contacting Vertex to explore tailored strategies that focus on genuine, long-term protection for your organisation. You can visit the official website at www.vertexcybersecurity.com.au or reach out directly via email at for further information.